we discuss how to effectively implement a risk-based approach to vulnerability management to drive effective patch management.

1. Differentiating vulnerabilities from
risks to reduce time to remediation
Simon Roe, Product Manager - RBVM
March 2021

2. Helping customers improve security posture since 2001
Full stack security assessment
Over 2,000 customers in all regions of the world
Complete Application security for DevSecOps
Crest certificated penetration testing.

3. “A vulnerability is a weakness
which can be exploited by a
threat actor.”
3
• Given one or more
classifications
• CVE, OWASP, CWE
• Scored
• CVSS 3.1
What are Vulnerabilities

4. What is Risk
“expose (someone or something
valued) to danger, harm, or loss.”
In vulnerability terms :
“the probability of a vulnerability
being exploited and the impact that
has on the organization”
4

5. Vulnerability ≠ Risk
5

6. What makes up a ‘risk’
6

7. 1. Risk Score 7
Vulnerability Risk Score
Hacker
Content
Published
Exploits
NVD /
CVE

8. 2. The asset
8
Exposure Business Criticality
Asset Impact

9. 3. Risk
9
Vuln Risk Score Asset impact
Risk

10. Transitioning to risk based vuln management
10

11. Is this a view of your vulnerability landscape……
11

12. Or 10,343 vulns on your radar (56.4%)
Why overwhelmed? 12
18,352 vulns
published
2,709 Critical (14.8%) 7,634 High (41.6%)
In 2020 there were
Of which

13. 13
• Too many vulnerabilities
needing immediate attention
• Never able to meet KPI’s
• More new ones than
remediated ones
• Sense of drowning
How do you go from this

14. 14
• Getting a handle on your VM
program
• Effectively managing the real
risks
• Feel like winning the race
To this

15. • Old way
• Focus on CVSS score
• 1st critical
• 2nd high
• 3rd medium
• 4th anything else
• Usually results in 1,000’s vulns
15
• New Way
• Use risk scoring
• Classify assets
• Criticality or importance
• Exposure
• Add in exploit prediction for
early warning
• Typically, 5 – 10% of the total
vulns
Change your mindset

16. • CVSSv3 – 12,149 findings (C
1,730; H:10,419)
• Risk based – 6,825 across all
CVSS scores (C 155; H 1,284)
Customer example with 77,700+ findings
14%
86%
CVSS Based VM
Critical
High
2%
19%
50%
14%
15%
Risk Based
Critical
high
Medium
Low
CVSSv2

17. Patching Approaches
17
Reactive Active Proactive
Patch all Critical/High
vulns; as many others as
possible
Patch vulns that are likely to be /
have been exploited in the wild
Patch all vulns by
CVSS
Patch all vulns in
the order received
Patch vulns that have PoC exploits /
have been exploited in the wild
https://www.cyr3con.ai/

18. Moving to a proactive remediation program
• You focus on risk to the business not a CVSS score – you ask these
questions:
• What is the current risk of the vulnerability?
• Has it been or will it be weaponized?
• Is it present on a business impacting asset
• Is that business impacting asset exposed?
• Patch it.
18

19. 19
• A customer
• Focuses on likelihood of > 30.0
(out of 38.46, or >78% chance of
exploit)
• Gives a total number of in scope
vulns : 6,825 (out of 77,700)
• Critical 155
• High 1,284
• Medium 3,396
• Low 955
• CVSSv2 1,035
Proactive remediation in
action
2%
19%
50%
14%
15%
Proactive remediation
Critical
high
Medium
Low
CVSSv2

20. To boldly go further
• Add threat intelligence activity to further tune the number of in scope
vulns
• Example: is a vulnerability with an exploit that has had no activity for
4 years as urgent as one that was exploited 4 days ago?
20

21. 21
• With this change, the customer
has 169 total findings in
remediation scope
• Critical 15
• High 66
• Medium 67
• Non V3 21
• Out of 77,700 (0.3%)
We can go further
9%
39%
40%
12%
Using TI as part of the equation
Critical
High
medium
V2 only

22. Create tiered remediation SLA’s
22
Tier 1 : Likelihood > 30,
activity last 90 days,
Impact critical , Exposed
• 7-day remediation (15
findings)
Tier 2: Likelihood > 30,
activity last 90 days,
Impact High, Exposed
• 14-day remediation (66
findings)
Tier 3: likelihood > 30,
activity last 90 days,
Impact Medium, Exposed
• 30-day remediation (67
findings)
Tier 4: Likelihood > 30,
activity last 90 days, all
the rest, Exposed
• 60 days

23. Vulnerability ≠ Risk
23
• Remediate risks not vulnerabilities
• Focusing on top XX% of your vulns
• Build a tiered remediation plan
• Use Vuln risk
• Business impact
• Exposure
• Threat intelligence activity
• Change your mindset from the old
to the new

24. 24
Use the capabilities of Farsight to
• Identify and group assets
by exposure and criticality
• Use threat intelligence to
enrich each vulnerabilities
threat context
• Reduce the number of in
scope vulnerabilities
Putting it into practice

25. Want to know more
• Check out how RBVM could be a game changer for your VM program
• https://outpost24.com/products/network-security/risk-based-vulnerability-
management
• https://marketing.outpost24.com/mkg/whitepaper/reduce-time-to-
remediation-with-predictive-risk-based-vulnerability-management
• Explore our Farsight blog content on high risk CVEs
25

26. Simon Roe, sro@outpost24.com
Q&A